npm

bvm-core @1.1.43

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10728

Ecosystem

npm

Summary

dist/index.js in bvm-core@1.1.43 imports child_process and issues fetch() calls to the hardcoded host https://bvm-core.nexsail.top at the top of the bundled module, alongside a secondary fetch to registry.npmmirror.com. The combination — a lookalike domain that mirrors the package name on an unrelated TLD, module-load-time network calls, and child_process usage in the same bundle — is the fingerprint of an install/import-time beacon and command execution channel, not a legitimate SDK call. The package name resembles established bvm version-manager tooling but the code routes traffic to an author-controlled host on nexsail.top rather than to any documented registry or vendor endpoint.

Source: amazon-inspector (87ff2c7d903c5594ba5fa2e11d3fe6281380a5f2d010a1a0e3c0679464ab1fca)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.